Rule Category

MALWARE-OTHER --

Alert Message

MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt

Rule Explanation

This event is generated when an RTF file that is seen using indicators observed in APT group activity. Impact: Potential Code Execution Details: This rule targets an APT campaign leveraging CVE-2018-0798 which exploits an undisclosed vector in the Equation Editor for Microsoft Office. In particular this is geared towards the overwrite of the least significant two bytes of the return address for code execution. Ease of Attack: Easy

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Additional Links

Rule Vulnerability

CVE Additional Information

CVE-2018-0798
Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability".
Details
Severity Base Score8.8
Impact Score5.9 Exploit Score2.8
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactHIGH Attack VectorNETWORK
ScopeUNCHANGED User InteractionREQUIRED
Authentication Ease of AccessLOW
Privileges RequiredNONE